SaabWorld under attack - connection problems and database errors.

The site has been mostly unusable since Saturday evening. The servers of our host were hit very hard with all kinds of attacks resulting in the forum not loading at all and many database errors. SaabWorld.net has shared hosting with other sites on the same server.

Tech support at our host is top notch and they identified and fixed the issue at their Strasbourg, France server location where SaabWorld.net is hosted. SaabWorld.org hosted in Rotterdam has not been affected.

It looks like the forum is back to normal at times but still suffers the occasional outage. It also may be a bit slower than usual for now.

Info from our webhost:

You may have a website at the NABOO server, since Saturday night / Early Sunday this server was under attack. While the main issue was spotted quikly we also noticed this issue had no 'fast' solution.

What we encountered on the server where nearly all wordpress sites on the server being attacked, while this is a common attack vector we also found that one of our main protections against this type of attack did not function correctly. The only resolution we had at that time was starting to block the attacking IPs ; but as each IP was unique and once we blocked one we got 10 new connections from different IPs in its place.

We started to write a script to automatically starting to filter the attacks, this worked for a while but caused the firewall to have a reload every 15 minutes; which was still stressing the server and even though we already blocked tens of thousands of attacking IP's it did not bring the server back to its normal level.

At this point also the developer of the security tools was busy trying to investigate the issue, which they still remain doing; but we still had a server which sometimes worked. and sometimes did not. The worst part was that the server disks started to get out of sync due to the heavy attacks as well, slowing things down even further.

As the xmlrpc.php atacks on wordpress continued we decided to rename the xmlrpc.php service on all accounts which where under attack to : attack.xmlrpc.php ; THIS WILL BREAK THE XMLRPC SERVICE FOR WORDPRESS SITES! but was our only solution to stop the xmlrpc.php attacks and making sure the server resources where not spend on only loading firewall rules and filtering IPs leaving all sites unavailable.

To our shock this did NOT resolve the issue, and the server did remain responding, however the load did come down; this is when we spotted another account which was actually sending out an attack (DOS) to an external host; we have SUSPENDED this account pending investigation. At this point the server load is back to normal and sites start to load again. However the disk is still out of sync and is rebuilding, unfortunately with large disks this can take a day or more to fully recover. This may leave the sites a bit slower, but they will load again.

Together with our security tool provider we keep monitoring and stabelizing the server to acceptable levels in the coming hours.

If you have a wordpress website please make sure you have updated ALL your plugins, not only automatically upgrade wordpress, 9 out of 10 wordpress hacks are not related to the tool itself but to the plugins you may have installed; some very popular plugins have security issues and should be upgraded. We recommend to check your wordpress site for updates at least once a week.